MF0013 Internal Audit and Control

Q1. Discuss, in brief, the advantages and limitations of auditing. Ans. Advantages of Financial Audit 1. Statutory financial audit gives the owners of a company and other stakeholders the assurance that annual financial reports give true and rational view about the companys financial performance. 2. Tax audit viz., the audit of financials of the company based on which taxable income is determined and tax paid is mandatory. Tax auditors report has to be filed with the tax return. 3. Internal financial audit assists the CEO and his team of operating managers regularly and much more frequently in understanding the financial performance of the company and taking corrective actions necessary. 4. Financial audit is an invaluable tool for prevention and early detection of fraud and errors. 5. Audited financial report together with the auditors report is necessary for a company in sourcing funds from banks and other financial institutions. 6. The audited balance sheet of a company read with the auditors report is often the base document for valuation of companies in case mergers, acquisitions or outright sales. Limitations of Financial Audit 1. It is a post-mortem: The annual statutory audit is not a concurrent activity, but starts only after the year is over. Naturally, the auditor has to rely on explanations given to him by the accountant for activities that happened quite a while ago. The essential truth behind some of the figures may therefore still remain undiscovered. 2. It is a test check: The auditor cannot examine all the transactions given the time and cost constraints. He applies test checks using statistical sampling techniques. The inherent weaknesses of such methods carry an element of uncertainty or risk. Thus, auditing only reduces and does not eliminate the possibilities of erroror fraud. 3. Inherent limitations of internal control system: An auditor largely relies on the internal controls of the enterprise as he cannot check everything. Internal controls are the inbuilt checks and balances in the companys accounting and administration. (a) Certain levels of management may override control and make exceptions to procedures. (b) Persons operating the internal control and employees or outside parties may collude and render the controls ineffective.

Page | 1

Q2. Explain the key objectives of a good internal audit system. Write down the essentials for effective internal auditing. Ans. The key objectives of a good internal audit system are: 1. Evaluation of accounting controls: Ensuring that the checks and balances in the accounting processes are effective and provide the required accounting controls. 2. Compliance with policies and procedures: Verifying compliance with the policies and procedures laid down for key activities and reporting acts of omission and commission. For example, if a purchase order for capital equipment of any value requires the Purchase department to get at least 3 quotes, internal audit have to check if this rule has been followed in all cases, and report exceptions. 3. Protection and optimal utilisation of business assets: Ensuring physical availability and usefulness of fixed assets as per companys records, and checking utilisation of major assets vis--vis plan. For example, a piece of equipment purchased has not been installed within a reasonable period of time. The auditor will check and report on the justification for the asset not having been put to use. 4. Testing the reliability of Management Information Systems (MIS): Reviewing the management reporting structure and the utility of reports flowing out of the system. Essentials for Effective Internal Auditing Appropriate organisational status: The internal auditor should ideally report to the CEO and the Board of the company, and should not be brought under a Functional Head like the CFO. Independence: Internal auditors must have independence at work. This facilitates them to offer impartial and unbiased opinion and advice. Technical competence: The internal audit team should be professionally qualified, well-experienced and adequately trained. Professional approach: The internal auditor should exercise due professional care in fulfilling his responsibilities. His professionalism should be evidenced by the existence of audit manuals, clear audit programs and neatly filed working papers for each job. Reporting and follow-up: Audit findings must first be reported to the auditee and together with the auditees response the findings should be reported to top management, preferably with a recommended solution. Action agreed by the auditee should be followed up and its closure duly.

Page | 2

Q3. List the required qualifications of an internal auditor. Describe the role of internal auditor in the companys management. Ans. Qualifications of Internal Auditor When appointing an internal auditor, the management of a company looks for the following attributes: a. Necessary expertise to evaluate business control systems, especially financial and accounting controls: This is the crux of the internal audit function as the focus is always on financial performance and viability of the enterprise. b. Basic knowledge of the technology and commercial practices adopted by the business, since he is expected to evaluate the operational performance of the enterprise. c. Thorough knowledge of management theories and best-in-class practices. d. Excellent interpersonal skills: The auditors may at times have to comment adversely on the work of their own colleagues. They should be able to do this in an acceptable manner and yet produce the intended result. e. Unbiased reporting and strong professional approach. f. Unimpeachable integrity and the highest ethical standards.

Role of Internal Auditor in the Companys Management 1. Review of internal control systems: The internal auditor should review the internal control systems of the organisation. He should determine whether the existing control systems are appropriate and commensurate with the objectives, size, etc. of the organisation. For example a small company cannot afford a separate credit control department and so it will need strong controls in the sales accounting process to minimise customer payment default. 2. Review of safeguards for assets: The auditor should regularly review the adequacy of insurance covers for fixed assets and complete accounting of all transactions relating to fixed assets, etc. 3. Review of compliance with policies, plans, procedures and regulations: The internal auditor should include a regular checklist of compliances by different functions of laid down procedural requirements. When a non-observance is spotted, he should inquire and ascertain the reason for the deviation, and report the event together with the proposed solution. 4. Review of organisation structure: A well-designed organisation structure is the basic requirement for the smooth functioning of any organisation. Organisation structure defines the authorities and responsibilities of executives. The internal auditor should evaluate the organisation structure from the following dimensions: a. Simplicity and lack of ambiguity.

Page | 3

b. Clear definition of authority and responsibility at each level. c. Balance of power, to ensure there is no undue dominance of any function. d. Balance of responsibility, to ensure proper unity of command and span of control. e. Effective communication of the organisation chart to all concerned. 5. Review of deployment of resources: The internal auditor reviews utilisation of resources deployed for the business men, machines, money, materials and management to identify deviations both by way of excessive use of resources and resources that are under-utilised. He would be able to do this vis--vis the planned capacities and resources, and should include in his report significant trends and happenings. 6. Review of reliability of information: The Management Reporting and Information System (MRIS) of the company is an important aspect to be reviewed by the internal auditor. The content, format, frequency and timeliness of key management reports should be evaluated by discussions with the functional mangers receiving the reports as well as with the finance manager who is usually the provider of the reports. The objective of this review is to see to what extent the information flow has helped in taking good decisions. 7. Review of achievement of company objectives: While the reviews in the foregoing paragraphs are centred on the management processes, the managers are essentially hired to deliver results and achieve the targets set for them. The internal auditor therefore reviews the final results achieved vis--vis planned results. As they say, the proof of the pudding is in the eating, and if for instance the company has under-performed, audit can make it clear whether the failure to achieve was for internal reasons or external factors beyond managements control.

Page | 4

Q4. Explain the basic principles of governing internal control. Ans. Basic Principles Governing Internal Control The basic principles governing internal control are as follows: 1. A proper system, preferably in writing, must be implemented so that origination, recording and accounting of business transactions take place in a standardised way. 2. The authority and responsibility of every official should be fixed. 3. Accounting entries should not be allowed without a supporting document. 4. No person should handle a transaction end to end: the work of a person should be checked automatically by another person in the same or another department. 5. Responsibility for the custody and control of assets should be segregated from the responsibility of accounting for the assets. 6. As far as possible controls should be built into the functions themselves. For example the objective of reducing credit risk and minimising collection period can be met through controls in the accounting and sales system instead of having a separate credit control function. 7. Every internal control should be established after a cost-benefit analysis. 8. Books of accounts should be maintained up to date. 9. The entity must have a system of rotation of duties among employees. Employees should be encouraged to take leave as per their roster, especially employees handling cash. 10. The system should have inbuilt verification system from independent records. For example verification of bank balances from bank statement, comparison of purchase ledger account with supplier statement, etc. 11. The system should facilitate cross-functional physical verification of assets: for example cash verification by Purchase official or inventory test-check by Accounts staff. 12. A reliable and accurate Management Information System (MIS) should be in place.

Page | 5

Q5. Discuss the specific problems of Electronic Data Processing (EDP) relating to internal control. Ans. The implementation of internal control in an EDP system, give rise to the following problems: (a) Separation of duties: The responsibility for initiating transactions, recording transactions and custody of assets, lies with separate individuals in a manual system. This is a basic control necessity for any organisation. (b) Delegation of authority and responsibility: An essential characteristic of internal control is a clear line of authority and responsibility. However, in a computer system the delegation of authority and responsibility in a clear way may be difficult because multiple users may share some resources. (c) Competent and trustworthy personnel: Data processing technology is much more complex today as compared to the days of manual systems. Personnel who are highly skilled are required to develop, modify, operate and maintain computer systems today. (d) System of authorisations: There are two types of authorisations to execute transactions, issued by management. Policies that an organisation follows are established by general authorisations. In a manual system, auditors evaluate the adequacy of procedures for authorisation by examining the work of employees. However, in a computer system, a particular program may often have authorisation procedures embedded within. For example, the order entry module in a sales system may determine the price to be charged to a customer. (e) Adequate documents and records: A manual system requires adequate documents and records if it is to provide an audit trail of activities within the system. On the other hand, in computer systems, documents may not be used to support the initiation, execution and recording of certain transactions. (f) Physical control over assets and records: It is critical for internal control to have physical control over assets and access to records. Computer systems differ from manual systems in the way they concentrate the data processing assets and records at one location. For example in a manual system records are at their locations of origin, but in an EDP system they may be maintained at the data processing installation and a person does not have to coordinate different locations to execute a fraud. (g) Adequate management supervision: Management supervision of employee activities is relatively straightforward in a manual system. This is because employees and managers are often at the same physical location. (h) Comparing recorded accountability with assets: To assess if shortages in the assets have occurred or inaccuracies or incompleteness exist, a periodical comparison between assets and the data that is a record of those assets must be

Page | 6

done.

Q6. Explain the factors for having the effective internal control system for a bank. Ans. Internal control system in banks Different factors influence the internal control structure of any organisation: size, complexity and risk profile of its operations. In this regard an effective internal control system for a bank should consider the following aspects: 1. Control environment: Control environment is the foundation of an internal control system. It includes and reflects the factors that influence the control consciousness of its people. As per Auditing and Assurance Standard 6 issued by ICAI (AAS6), control environment is the overall attitude, awareness and actions of directors and management about the internal control system and its importance in the entity. Factors reflected in the control environment include: a) Organisational structure of the entity and means of assigning authority and responsibility (including segregation of duties and supervisory functions) b) The function performed by the board of directors and its committees in any company or any similar governing body in any other entity. c) The philosophy of management. d) Systems of management control that includes internal audit, personnel policies, etc. 2. Risk recognition and assessment: To be effective, an internal control system should recognise and continually assess all material risks internal and external, controllable and uncontrollablethat could affect the achievement of the banks objectives. The bank faces various risks at different levels credit risk, country and transfer risk, market risk, interest rate risk, liquidity risk, operational risk, legal risk, etc. The management must identify, measure and analyse these risks. 3. Control activities: Control activities are management actions to ensure that the personnel are following the banks established policies and procedures. Specific control procedures include: e) Reporting and reviewing reconciliations. f) Checking arithmetical accuracy of the records. g) Controlling applications and environment of computer information environment systems. h) Maintaining and reviewing control accounts and related subsidiary ledgers. i) Ensuring approval and control of documents. j) Comparing internal data with relevant external information.
Page | 7

k) Comparing the results of physical verification of cash, fixed assets, investments and inventory with corresponding accounting records. l) Restricting access to assets, records and information. m) Comparing and analysing results with corresponding budgets 4. Segregation and rotation of duties: Authorities and responsibilities of every department should be clearly defined based on the policies of the management, preferably in writing. There should not be any scope of duplication of jobs, duties and assignments. The entity must have a system of rotation of duties among employees. 5. Authorisation of transactions: Banks usually prescribe well-set systems of approval and authorisation, both generally applicable and specific to some transactions. As public money is often involved, it is vital that authority levels are not breached. For example an industrial advance sanction may require zonal office clearance, while renewal of the advance may be within the authority of a branch head. 6. Accountability for assets: To ensure accountability and safeguarding of assets, it is important that complete records are maintained and access is limited to the authorised personnel only. Every access and every user should be documented. Periodic checking of actual assets with records and identifying discrepancies must be mandated. 7. Accounting, information and communication systems: A comprehensive system of accounting, financial reporting (both management and statutory) and non-financial analysis and reporting with clear content, format and frequency should be in place. Banks usually adopt the following procedures to meet this need: a) All records are maintained as prescribed with transaction-level details. b) A unique code number is assigned to each branch and that number should be mentioned in all important documents. c) All inter office transactions are reconciled methodically during accounts closing. 8. Monitoring activities: A full-fledged monitoring system should be in place to assess the effectiveness of internal controls continually. Monitoring is done internally as well as externally. For internal monitoring or self-assessment the review functions are delegated to the staff at different levels. Monitoring activities are integrated to the daily activities as well as undertaken as specified periodic evaluations.

Page | 8